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(57)Abstract: 




PROBLEM TO BE SOLVED: To realize a high precision network type 
intrusion detecting device, and to protect the privacy of a normally 
accessing person by narrowing the targets of information collection 
down to suspects. 

SOLUTION: A plurality of detection patterns corresponding to 
intrusion patterns are preliminarily prepared, and the detection 
patterns are switched dynamically as need by an investigation 
information collection controller 2. Also, a subtle omen indicating the 
possibility of intrusion is defined as an object to be monitored by the 
investigation information collection controller 2, and a network 
monitoring device 1 and a traffic monitoring device 3 are controlled, 
so that the monitorial system can be changed according to the level. 
Moreover, a fixed amount of packets are always held by the traffic 
monitoring: device 3. so that the previous state can be utilized as 
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* NOTICES * 

JPO and INPIT are not responsible for any 
damages caused by the use of this translation. 

1. This document has been translated by computer. So the translation may not reflect the original precisely. 

2. **** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 



CLAIMS 



[Claim(s)] 

[Claim 1]A network intrusion detection system comprising: 

A network monitor which acquires network management information from a surveillance object network, and 
detects existence and its invasion pattern of network invasion. 

A search information gathering control device which collects investigative information which changes 
dynamically a detection pattern applicable by performing collation with said invasion pattern and two or 
more detection patterns beforehand prepared according to each of said invasion pattern, and follows the 
detection pattern concerned. 

[Claim 2]The network intrusion detection system according to claim 1 having a traffic monitoring instrument 

which outputs investigative information according to said detection pattern also including information in 

front of invasion according to a demand from said search information gathering control device. 

[Claim 3]The network intrusion detection system according to claim 1, wherein said investigative 

information collection control device is provided with the attacking agency Monitoring Department which 

does the intensive surveillance of the communication by a specific invader detected by said network 

monitor. 

[Claim 4]The network intrusion detection system according to claim 1, wherein said investigative 
information collection control device is provided with the target-of^attack Monitoring Department which 
does the intensive surveillance of the communication to a specific target of attack detected by said network 
monitor. 

[Claim 5]The network intrusion detection system according to claim 1 provided with an alert verification 
part which verifies whether said investigative information collection control device has the detection 
information that it is otherwise the same, to detection information detected by said network monitor. 
[Claim 6]Said alert verification part refers to a database with which surveillance object network information 
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claim 6 characterized by comprising the following. 

A means pattern in which the means sequence and means confrontation processing were defined 
beforehand as for said investigative information collection control device. 

The means Monitoring Department which performs means confrontation processing which includes a 
shutout of the target when a means candidate is scolded and the means candidate concerned is found by 
comparing investigative information from an invading agency host acquired from said traffic monitoring 
instrument 

[Claim 8]Acquire network management information from a surveillance object network, and existence and 
its invasion pattern of network invasion are detected, A network invasion detection method collecting 
investigative information which changes dynamically a detection pattern applicable by performing collation 
with said invasion pattern and two or more detection patterns beforehand prepared according to each of 
said invasion pattern, and follows the detection pattern concerned. 



DETAILED DESCRIPTION 



[Detailed Description of the Invention] 
[0001] 

[Field of the Invention]this invention — a network intrusion detection system and a method for the same — 
in detail, By improvement of the network type trespass detecting device (NIDS:NetworkIntrusion Detection 
System) which detects the existence of network invasion, and cooperation with a managerial system. It is 
related with a synthetic security system which acquires the information before and behind a security 
incident in detail, and a method for the same. 
[0002] 

[Description of the Prior Art]The service provision to corporate transactions and the customer who utilized 
the Internet is a problem of the utmost importance for the company which gropes for strategic business 
deployment. However, the communication environment of the Internet is exposed to various threats of the 
unauthorized entry and virus infection by a hacker. By the way, it connects with the network in a company 
in the middle of the Internet, and a fire wall functions as a sensor which intercepts unjust access from the 
Internet. In the network system which installed the fire wall, gateway access to the exterior from an inside is 
enabled, and the various services of the Internet can be safely used now. However, in the unauthorized 
entry by a hacker, there is a danger of receiving various attacks, such as an attack which poked the security 
hole of the fire wall main part, an attack by port scan, and a use impossible attack which blocks access. 
[0003] 

[Problem(s) to be Solved by the Invention]As described above, while the illegal use of a computer system 
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system using the conventional NIDS, it has a fault of (1) - (5) enumerated below. 

[0004](1) Only detection according to the detecting pattern defined uniquely beforehand can be performed, 
therefore there is much erroneous detection. 

(2) With the advancement of an invasion means, the detection definition pattern becomes complicated and 
description of a definition is difficult. 

(3) Since only the packet defined as NIDS being inaccurate was detected, information required in order to 
supervise a series of the actions of the aggressor before and behind unjust detection was not able to be 
acquired. In order to record a "means" which comprises plural steps, means only have operating packet 
monitoring and a recorder independent of NIDS after detecting injustice at NIDS, and promptly detailed 
information was not able to be acquired. When the dynamic surveillance system according to a threatening 
grade could not be built but it was always considered as the wax in the detailed information about invasion, 
while many computer resources were required for packet monitoring and recorders, such as a disk and CPU, 
the analysis of the huge collected information was impossible as a matter of fact. 

(4) When invasion was detected, it was difficult to be invasion with the strange result, or to verify whether it 
is erroneous detection. It needed to be made setting out which acquires detailed information beforehand in 
order to verify a detection result, and even if it changed so that after-detection detailed information might 
be acquired, in many cases, since invasion had already finished, it had become too late. 

(5) There was a possibility of infringing on a regular access person's privacy for information gathering. 
[0005]In light of the above-mentioned circumstances, this invention is a thing. 

the purpose preparing two or more detecting patterns which were alike and responded, and it changing this 
dynamically and it if needed, It is providing a network intrusion detection system which achieved highly 
precise-ization of NIDS, and a method for the same by increasing sources of information by preparing the 
structure which acquires the detailed information, and utilizing as investigative information, and cooperating 
with a traffic monitoring instrument, and the detailed information coming to hand. 
By also making minor signs as show the possibility of invasion into a surveillance object, and making a 
network surveillance system change according to the level, The collection object of information is narrowed 
down to a suspicious person, and also let it be the purpose to provide a network intrusion detection system 
which protects a regular access person's privacy, and a method for the same. 
[0006] 

[Means for Solving the Problem]This invention is characterized by comprising the following, in order to solve 
the above-mentioned technical problem. 

A network monitor which acquires network management information from a surveillance object network, and 
detects existence and its invasion pattern of network invasion. 

A search information gathering control device which collects investigative information which changes 
dynamically a detection pattern applicable by performing collation with said invasion pattern and two or 
mnrft Hpfpotion nattprns hpfnrphand nrpnarp.H accnreWntr to paoh of said invasion natfprn and follows thp 
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from said search information gathering control device. 

[0008]In this invention, said investigative information collection control device was provided with the 
attacking agency Monitoring Department which does the intensive surveillance of the communication by a 
specific invader detected by said network monitor. 

[0009]In this invention, said investigative information collection control device was provided with the 
target-ol^attack Monitoring Department which does the intensive surveillance of the communication to a 
specific target of attack detected by said network monitor. 

[0010]In this invention, it had an alert verification part which verifies whether said investigative information 
collection control device has the detection information that it is otherwise the same, to detection 
information detected by said network monitor. 

[001 1]In this invention, said alert verification part, At least one of alert object hosts' importance, alert 
object hosts' traffic volume, and the importance of alert object service is made to reflect in an information 
acquisition level of investigative information from said traffic monitoring instrument with reference to a 
database with which surveillance object network information was stored. 

[0012]In this invention, said investigative information collection control device, A means candidate is 
scolded by comparing a means pattern in which the means sequence and means confrontation processing 
were defined beforehand with investigative information from an invading agency host acquired from said 
traffic monitoring instrument, When the means candidate concerned was found, it had the means Monitoring 
Department which performs means confrontation processing including a shutout of the target. 
[0013]By preparing two or more detecting patterns which responded to an invasion pattern beforehand in 
the above-mentioned composition, and preparing structure changed dynamically if needed, From most 
important method according information made into an object of collection to the existing NIDS, by extending 
to extensive information including network management information, sources of information can be 
increased and it can utilize as investigative information. Highly precise-ization of NIDS can be attained by 
performing fine control of a detecting pattern of NIDS and an information acquisition pattern. An 
investigative information collection control device is utilizable as detection information also including the 
last state by always holding a constant rate of packets with a traffic monitoring instrument. Therefore, 
verification of a means after an invasion inspection from this packet currently held and information acquired 
by the above and invasion is attained. Minor signs as show the possibility of invasion can also be made into 
a surveillance object, and a surveillance system can be made to change with an investigative information 
collection control device according to the level. Specifically a traffic monitoring instrument pair will be 
carried out if needed, directions will be issued, the information acquisition level will be changed dynamically, 
as a result, a collection object of information will be narrowed down to a suspicious person, and a regular 
access person's privacy can be protected. 

[0014]In order to solve the above-mentioned technical problem, this invention acquires network 

manacrpmpnt information from a survpillanop nhipot npfwnrk Dptprt pykfpnop and its invasion nattprn of 



Best Available Copy 



JP 2002-342276 

including information in front of invasion. 
[0016] 

[Embodiment of the Invention] Drawing 1 is a block diagram showing one embodiment of the network 
intrusion detection system in this invention. The network intrusion detection system of this invention 
comprises the network monitor 1, the investigative information collection control device 2, the traffic 
monitoring instrument 3, and the surveillance object network 4. The network monitor 1 acquires network 
management information from the surveillance object network 4, and has a function which detects the 
existence and its invasion pattern of network invasion. The investigative information collecting apparatus 2 
changes dynamically a detection pattern applicable by performing collation with an invasion pattern and two 
or more detection patterns beforehand prepared according to each of an invasion pattern, and has the 
function to collect the investigative information according to the detection pattern concerned. The traffic 
monitoring instrument 3 has a function which outputs the investigative information according to a detection 
pattern also including the information in front of invasion according to the demand from the search 
information gathering control device 2. 

[0017]The network monitor 1 comprises the network Monitoring Department 11 and surveillance object 
network information DB(database)12. The network Monitoring Department 1 1 acquires network 
management information from the surveillance object network 4, By detecting an unauthorized entry, 
detection information (alert information) is given to the investigative information collection control device 2, 
and the surveillance object network information accumulated in surveillance object network information 
DB12 based on the surveillance object network information demand from the investigative information 
collection control device 2 is provided. The IP packet information which comprises a header and a pay load 
(contents) is accumulated in surveillance object network DB12 besides network configuration information, 
servicing information, and operation information. As network configuration information, the detailed routing 
information of apparatus, such as a host, a router, etc. which were connected to the network, as servicing 
information, As operation information, the traffic information for every host and the traffic information 
(access frequency) for every service are accumulated for a host's service provision policy and the service 
actually provided for a host. The information about a host and the importance of service, and the height of 
traffic volume is also included in surveillance object network DB12, and the example is shown in drawing 6 
and drawing 7 . Here, although surveillance object network information DB12 explains as a thing in the 
network monitor 1, it may be in the investigative information collection control device 2 mentioned later. In 
this case, since all fundamental control sections are brought together in the investigative information 
collecting apparatus 2, it is possible to make simple the composition and the function of the network monitor 
1. 

[0018]The investigative information collection control device 2 is constituted from alert log DB(database)22, 
the attacking agency Monitoring Department 23, the target-oFattack Monitoring Department 24, the alert 

vp.rifi ration nart 95 and thp mftans Mnnitorincr Dp.nartmp.nt 9fi h\/ thp corp. in thp information p-athprinsr 
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instrument 3 is started and it is shown in drawing 2 , It comprises the rule analyzing parts 21 1, the pattern 
match part 212, the action execution part 213, and the rule library 214. 

[001 9]It is as having described above that two or more detection patterns are beforehand prepared for the 
investigative information collecting apparatus 2 according to each of an invasion pattern. The detection 
pattern is library-ized as a rule here, and it memorizes all over the rule library 214. The rule analyzing parts 
21 1 analyze by reading this rule, compare with the IP packet obtained via the network Monitoring 
Department 1 in the pattern match part 212, and perform action according to the detection pattern which 
coincidence was able to take by the action execution part 213. Actions here are the recording start of 
traffic, a stop, specific attack former surveillance, the surveillance for specific, alert verification, and means 
surveillance, and a rule set is changed if needed. 

[0020]An example of a rule form and a rule is shown in drawing 3 and drawing 4 , respectively. A rule is 
defined by the "pattern" part and "action" part as shown in drawing 3 (a). As a pattern, tcp (transfer control 
protocol), The protocols (protocol), such as udp (userdatagram protocol), DESUTE nation specifications 
(dest-spec), such as sauce specifications (source-spec), such as an IP address and a port number, both 
directions/uni directional «>|-», an IP address, and a port number, the other matching specifications 
(matchinf-spec) of a payload part, etc. are described. * seal in a figure means a repetition. 
[0021] Drawing 3 (b) expresses the form of a pattern part, and it besides the above-mentioned IP address 
and a port number, A title value (ttl), an ICMP (Internet Control Message Protocol) type (itype), The ICMP 
code (icode), the minimum FUARAGUMENTO payload size (minfrag), There are the contents (content) of a 
TCP sequence number (seq), a TCP-ACK (Acknowledge) number (ack), the fragmentation ID number (id) of 
an IP header, payload size (dsize), and the packet for pattern matches. The alert (alert) which drawing 3 (c) 
expresses action information and sends alert information to the manager (information gathering control 
section 21) of an upper device, There are log (log) which stores a message in a log file, a fork rule set 
(fork-ruleset) which changes a rule set, the record (record) which performs control of the traffic monitoring 
instrument 3, etc. 

[0022] Drawing 4 shows each example of a rule in the case of performing attacking agency surveillance, 
when performing attacking agency surveillance according to the form shown in drawing 3 , and performing 
target-of^attack surveillance, and port scan is detected. In rule name "sniffing-host" by attacking agency 
surveillance, Mean what the arbitrary port of IP address'1 92.1 68.10.10" is supervised with an arbitrary 
protocol, and all are recorded on the arbitrary port of variable $HOME_NET for, and in target-of^attack 
surveillance. In rule name "watch-home", it means supervising an arbitrary protocol, an arbitrary IP address, 
and an arbitrary port, and recording 20 bytes of pay-load head on the arbitrary port of IP 
address" 192.1 68.0.5" in addition to all the header information. In [ when port scan is detected and it 
performs attacking agency surveillance ] rule name "switch-snif", It means changing a rule set to 
"snifing-host" which supervises the arbitrary port of an arbitrary IP address with an arbitrary protocol, and 

ifc in v*ri*hlp $.<;ni irr.ft aHHrfiss pftp.r arhitrarv nnrt Rr.an Hfitftr.tinn fif x/ariahlf* &HOMF NFT 
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monitor 1. The alert verification part 25 has the function to verify whether there is any detection 
information that it is otherwise the same, to the detection information detected by the network monitor 1. 
The means Monitoring Department 26 refers to surveillance object network information DB12, Make at least 
one of alert object hosts' importance, alert object hosts' traffic volume, and the importance of alert object 
service reflect in the information acquisition level of the investigative information from the traffic monitoring 
instrument 2, and. A means candidate is scolded by comparing the investigative information which shows 
the history from an invading agency host acquired from the means pattern in which the means sequence and 
means confrontation processing were defined beforehand, and the traffic monitoring instrument 2, When the 
means candidate concerned is found, it has the function to perform means confrontation processing 
including the shutout of the target. The individual case about the attacking agency Monitoring Department 
23 and the target-of-attack Monitoring Department 24 is as having been shown in drawing 4 , and the details 
about the alert verification part 25 and the means Monitoring Department 26 are later mentioned using an 
individual case. 

[0024]The traffic monitoring instrument 3 comprises the traffic Monitoring Department 31, the traffic buffer 
32, the investigative information extraction part 33, and investigative information DB(database)34. The 
traffic Monitoring Department 31 has a function which always accumulates a constant rate of packets 
obtained from the surveillance object network 4 in the traffic buffer 32. The traffic buffer 32 is a buffer of a 
FIFO (First-In First-Out) method, and transmits the already accumulated packet information the whole 
predetermined unit based on the packet information requirements from the investigative information 
extraction part 33. The investigative information extraction part 33 accumulates the transmitted packet 
information in investigative information DB34, and it also has a function which supplies the detailed 
information according to the demanded information acquisition level by searching investigative information 
DB34 based on the investigative information collection request emitted from the investigative information 
collection control device 2. 

[0025] Drawing 5 is a key map of operation illustrating and showing a network security system about 
operation of the investigative information collection control device 2 shown in drawing 1 . Here, the intrusion 
detection information and pertinent information over the server 5-1 on the surveillance network 4-1 are 
detected with the network monitor 1-1, and it notifies to the investigative information collection control 
device 2 (**). In order to strengthen the surveillance of the link of relation, the investigative information 
collection control device 2 emits directions so that it may supervise intensively on the basis of the source 
address information etc. which carried out the grouping of the network monitor 1-2 and the network monitor 
1-3, and were detected with the network monitor 1-1 (**). By the network monitor 1-2 and 1-3, the 
information about a "means" is collected simultaneously (**). In order to realize looking out for the attack 
on the network 4-2 which is different in the surveillance network 4-1 a priori, it supervises whether the 
means which became clear by ** also to the network monitor 1-4 which is directly unrelated is used, and it 
is striv/inc fnr mHv watc.h 
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object-hosts information from surveillance object network information DB12 first on the assumption that 
object OS, an object network service, an object version, an object patch level, etc. are set up (Step S61). 
The alert verification part 25 confirms whether OS for an alert is equal to target-of-attack OS (Step S62), 
When judged with it not being equal, it is confirmed whether in invalid alert processing, (Step S63) and when 
it is judged with it being equal, the network service for an alert is still more nearly working at a 
target-oFattack host (Step S64). 

[0027]When it judges that the network service for an alert is not working by an attack host, here, In network 
service verification processing (Step S65), when judged with it being working, it is confirmed whether the 
version of the network service for an alert is still the same as that of a target-of-attack host (Step S66). 
The network service for an alert judges whether it is working at present by a target-of-attack host by what 
network service verification processing is performed for (Step S65) (Step S610), In not being working, it 
performs invalid alert processing at Step S612, and when working, unjust service processing is performed at 
Step S61 1. When it judges that the version of the network service for an alert differs from a working thing by 
a target-of-attack host, the effective alert processing which shows drawing 7 invalid alert processing (Step 
S67) when judged with it being equal is started (Step S68). And the alert verification processing from Step 
S61 described above until all the target-of-attack hosts ended to S68 is repeated (Step S69). 
[0028]In the flow chart shown in drawing 7 , the alert verification part 25, Alert object hosts' importance 
defined as surveillance object network information DB12 is checked, and when judged with importance being 
high as compared with the threshold set up beforehand, processing which updates the importance +one time 
is performed (Step S72). When importance is not so high, with reference to surveillance object network 
information DB12, alert object-hosts traffic volume is checked further, and when judged with it being high, 
the importance of traffic volume as well as previous importance is updated +one time. When traffic volume is 
not so high, the importance of alert object service is checked further, and when importance is high, the 
importance is updated +one time. When importance is not so high, effective alert processing is ended. The 
reason the alert verification part 25 controls importance other than mere alert verification processing here 
is for using it for level judgment when controlling the traffic monitoring instrument 3 and collecting detailed 
information. 

[0029]The example of input and output for alert verification is shown in drawing 8 . In drawing 8 , the alert 
verification part 25 receives alert information as input via the information gathering control section 21 first 
from the network Monitoring Department 1. In ID, the address of "1080" and alert object hosts input 
" 192.1 68.0.1", In a kind, "SNMP public access" and a network service name "SNMP.Simple Network 
Management Protocol", a port number — " — 161 — " — a version — arbitrary — a version — from — 
changing — an alert — information — # — one — ID — " — 1080 — ". In alert object hosts' address, 
"192.168.0.1" and a kind "anonymous ftp", A network service name is "FTP:File Transfer Protocol", and 
port numbers are "21 " and alert information #2 to which a version changes from an arbitrary version. On the 

nthftr hand to tarirp.t-nf-attap.k network information HRPfiO In a host "19? 168 01" and a np.twork RP.rvir.p. 
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processing will be performed [ 1 / alert information #] for effective alert processing as an output item here 
as a result of verification. 

[0030] Drawing 9 and drawing 10 show the example of the means surveillance by the means Monitoring 
Department 26, are a flow chart about the flow of processing, and describe the example of a means pattern 
according to list form, respectively. As shown in drawing 10 , four kinds of means patterns shown by (1 ) to (4) 
are illustrated, and a means sequence and means confrontation processing are shown in each here. Namely, 
as confrontation processing of three means sequences in which there is port scan and buffer overflow is 
detected by the attack on Webb CGI in a means pattern (1), An attack former host's (source) shutdown and 
the alert of the purport "it was invaded into the target host with sauce" are emitted. As confrontation 
processing of four sequences in which there is port scan and buffer overflow was detected after "finger" 
and "telnet" service in the means pattern (2), The shutout of the partner point (source) and the alert of the 
purport "it was invaded into the target host with sauce" are emitted. 

[0031 ]On the other hand, a means pattern (3) shows the case where an attack means from two or more 
hosts is detected, Two or more distributed DOS attacks from a host (OtherJHosts) to object hosts (target) 
are detected, When the Ping_Of_Death attack to object hosts from a partner point host (Source) is detected 
succeedingly, a shutout of a partner point host and two or more hosts and the alert of the purport "it was 
invaded into the target host by the sauce host" are emitted as the countermeasures. A means pattern (4) 
detects the branching DOS attack to the object hosts (DNS_SERVER) who perform DNS from two or more 
hosts (OtherJHosts), When the message corresponding to DNS from a host which is not simultaneously 
registered as DNS (Domain Name Server) is checked, a shutout of a partner point host and two or more 
hosts and the alert of the purport "the DNS server was downed" are emitted. 

[0032]In the flow chart shown in drawing 9 t the means Monitoring Department 26 acquires a means pattern 
from means pattern DB270 after receiving alert information (Step S91). As a means pattern, as shown in 
drawing 10 , a confrontation sequence and its confrontation processing are described. The means Monitoring 
Department 26 acquires the hysteresis information from an attacking agency host (source) by referring to 
investigative information DB34 again (Step S92). And in the case of a means from two or more hosts, further 
in addition to this, the means Monitoring Department 26 acquires the hysteresis information from a host 
(Step S93), and performs collation of a means pattern and a history (Step S94). Here, when in agreement, a 
means candidate is scolded (Step S95) f when inharmonious, it returns to processing of Step S91, and the 
following means pattern information is acquired, and henceforth, the above-mentioned operation is repeated 
until a means pattern continues (Step S96). And when a means candidate is scolded, processing described 
by (Step S97) means pattern DB270 as means confrontation is performed. Namely, an attacking agency 
host's (source) shutout and the alert of the purport "it was invaded into the target host with sauce" are 
emitted so that it may be described by drawing 10 , When an attack means from two or more hosts is 
detected, a shutout of other hosts containing the partner point and the alert of the purport "the DNS server 
was Hownp.d" arp. pmittp.H for pyamnlp 
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according the information made into the object of collection to the existing NIDS, by extending to extensive 
information including network management information, sources of information can be increased and it can 
utilize as investigative information. Highly preciseHzation of NIDS can be attained by performing fine control 
of the detecting pattern of NIDS and an information acquisition pattern. If the port scan to all the ports is 
detected and disquieting access for example, to a smtp port is specifically detected from the same host 
after that, the rule of NIDS will be changed so that the invasion check pattern about the brittleness of smtp 
may be applied preponderantly. 

[0034]Minor signs as show the possibility of invasion are also made into a surveillance object, and a 
surveillance system is made to change with the investigative information collection control device 2 
according to the level. Specifically it will receive traffic monitoring instrument 3 if needed, directions will be 
issued, the information acquisition level will be changed dynamically, as a result, the collection object of 
information will be narrowed down to a suspicious person, and a regular access person's privacy can be 
protected. For example, at a certain step, when the disquieting motion turned to the invasion from a certain 
IP address by NIDS is detected, a part for n bit is recorded from a head to all the packets to the particular 
port which exists from the IP address. And when the disquieting motion from the ID address continued and 
it is detected n minutes or more at the following step, A part for n bit is recorded from the head of all the 
packets to all the ports from the ID address, and also when the invasion possibility from the ID address is 
detected at the following step, all the packets of the ID address are recorded. 

[0035]The investigative information collection control device 2 can utilize the last state as an examination 
report by always holding a constant rate of packets with the traffic monitoring instrument 3. Verification of 
a means after the invasion inspection from this packet currently held and the information acquired by the 
above and invasion is attained. For example, although the trace which tried invasion by "smtp" to IP address 
"port from all the records of communication content from 10.2.190.38"" 25" was found, The place which it 
became clear that invasion was finished with failure, and investigated communication recording [ / in 
addition to port "25" of the point ], It becomes clear that the communication by the format over "cgi" of 
port"80" do not get it used to seeing tried the strange invasion method for "cgi" of port"80" as a result 
when many things became clear after a previous example. 

[0036]The above-mentioned network monitor 1 and the investigative information collection control device 2, 
The traffic monitoring instrument 3, the network Monitoring Department 11, and the information gathering 
control section 21, The attacking agency Monitoring Department 23, the targe t-of-attack Monitoring 
Department 24, and the alert verification part 25, The means Monitoring Department 26, the traffic 
Monitoring Department 31, and the operation information extraction part 33, The procedure performed by 
each of the rule analyzing parts 211, the pattern match part 212, and the action execution part 213 is 
recorded on the recording medium in which computer reading is possible, The program recorded on this 
recording medium may be made to read into a computer system, and the function in each device mentioned 
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magneto-optical disc, ROM, and CD-ROM, and a computer system. Furthermore, with "the recording 
medium in which computer reading is possible/' The thing holding a fixed time program shall also be included 
like the volatile memory (RAM) inside the computer system used as a server when a program is transmitted 
via communication lines, such as networks, such as the Internet, and a telephone line, or a client. 
[0038]The above-mentioned program may be transmitted to other computer systems via a transmission 
medium from the computer system which stored this program in memory storage etc. by the transmitted 
wave in a transmission medium. Here, the ''transmission medium" which transmits a program says the thing 
of a medium which has the function to transmit information like communication lines (communication wire), 
such as networks (communications network), such as the Internet, and a telephone line. The 
above-mentioned program may be for realizing a part of function mentioned above. They may be what can 
realize the function mentioned above in combination with the program already recorded on the computer 
system, and what is called a patch file (difference program). 

[0039]As mentioned above, although the embodiment of this invention has been explained in full detail with 
reference to drawings, concrete composition is not restricted to this embodiment and the design etc. of the 
range which does not deviate from the gist of this invention are included. Although lessons was taken from 
a rule, a pattern, etc. and many were illustrated, these are examples to the last and are not this limitation 
about that format and employment. 
[0040] 

[Effect of the Invention]Above, like explanation, according to this invention, sources of information are 
increased and it can utilize as investigative information from the most important methods, such as the 
existing trespass detecting device, by extending the information made into the object of collection to 
extensive information including network management information.Therefore, highly precise-ization of NIDS 
can be attained by performing fine control of the detecting pattern of NIDS and an information acquisition 
pattern. Suspicious person surveillance is realizable, further, the accuracy of invader detection improves, 
and quick management is attained [ acquisition of more precise invasion information is attained ], and wrong 
detection can also be reduced. 

[0041] According to this invention, the effect of enumerating to the following other than the above is also 
acquired. 

(1) The detailed analysis of a "means" is attained and it becomes easy to form the plan corresponding to 
after the event by using the information just before invasion. 

(2) It can investigate by changing a surveillance object and a level dynamically based on the contents of the 
detected information, without touching ordinary normal users' contents of traffic. 

(3) By narrowing down the object which collects information, with few computer resources, it becomes 
acquirable [ information required for next analysis ], and reduction of sensor loads can be aimed at. 

(4) A regular access person's privacy can be protected by narrowing down the collection object of 

information tn a Riisnir.ioiiR np.rsnn 
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consideration of the employment situation of the target network. 
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A^flEtt£^J:3&««£*1£kE«^kU * 
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1" . ^7h7-?t-t'^^» SNMP" . y-C-i/'g 
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r" telnet" t/--t'7<7)?lL A' 7 7r*-A'7 

n-tfm&ztifz4^<ni/-*yz(r>tifflmt ix. 

ZVMtt (source) (Vis* >y r-77 r-k" 7-7-'-y r- 
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OS#SS:l*aiU giS«£ffl#5fctf.*r- (Source) ft 
£>*f*** h^PingJtf J)eath^£«ajLfc*&. 
*^ttffi»SkLTffl¥***K «&**r-?>S^>y 

JOSASftfc" S*)7?-r-jWfc£&*i*. # 

(4) ittifc*7r- (OtherJHosts) fr£>D 
N S S: Hff -f 4 X h ( DNS.SERVER ) D O 

SJJc^S-fiimL. RB^CDNS (Domain Name Serve 
r) tlXm§iZtlX^%^*XbfrhCDDNSmfc* 

^vbTVb&XXS" DNSt-AW7^Lt" f 

[0 03 2] a9fcSrf70-f-*-hfc*jV^T, #P 
B£«»2 6»i. 75-MM8t*ffitl, #Pa'^->D 
B2 7 0*^#PA^-y$:IX#-r* (^r-y 7°S 9 

i ) . ^w^-yt ix. mi o^itzXoiznu 
is-7-yAtznmitmmmztix^i. ^a^.u 

U2 6 Jii fciSStiWRD B 3 4 * 4 - k t J: 0% 
^7C*7h (source) ^^OESffi|g^TO#-t4 (^T 
•y7S9 2) . *LT. h*»4>^)¥P<0*^» 

E#LT Ur-y 7°S 9 3 ) . #P/^-ykES(0.^ 
^Srff^rd (Xf77S94) . ZZX\ -%.ltzW>£ 
li^a&mm (Af77S9 5) , *-&<7)®£li 
7r-y7S 9 lcr)y2iSHMoT^<7)^py^-yffif8Sr 

\m. *n'*f~yimffithtx'±M<mfc 
*mm? (Af 7 7S9 6) . zix. ^nmum 

btltzbZlZ (7x-y7-S97) , #P/n"7-7DB2 
7 Otc^PStttk UTSEJfiSiifc«SI*ff=Sra . 
*>. H10fcEifiS*i4J:afc:, Witf, «»7c*xh 
(source) CDv-v -y h77 hk" ^-^ y HiV 
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V" DNSt-Wylfc" W0)Ty-bi&frtt> 

[0033] amwoi o iz*miz xtax , n i d 
*9 - v izis t tMrtkto' w - y & ix a s , 

Wfctfafcfrfe. *-yh7-7^Sffif8£#^d£§eftffi 
*(cJ6»f 4i k Tlf«£ilH>L$£tPgk LTSSffl 
-tl>^k#"C£l>. ifc, n i DsntoftW-ytoX 

•e, n i Dstmmmawii. mmzit. 

bl,ztti-&X-bz*v>$:tfiiiil. ni** 
Vfr^mUfsi&vX-YlztttttWj:T7*xZlfc'& 
Ltl h , smtpOMllttCWt SftA«aEy^-y £S£ 

1 0 0 3 4 ] a3Effi$gJR^J^S2^ J: 0 , 

*<mmmvK)vmmz>mL. *<o*&*. tpgco 
#0r9-f;<5/*fl»*-4;rfc#T#6. w^tr. ft*> 

X-f>y 7T\ N I DSC J: Oft* I P7KUXj&»4>0>ft 

xizmtz^mzmztimftztitzm^. -e-coi ptk 
vxfr^nhmi&t-Uzmh^'rv Mctf L 
T, ftSia^nt*>yb#£fEI§-f£. -f-LT&cOXf- «/ 

r-e, -e^ i v7Yvxfrh<??m%WiZbWfaLx n 
^oh^aj^n^^. -eco i d7huxa>^jk- 

Nlft-fl.^^ -y hcOftsf ^ n b'.y h#2rf5t*U 
SCftcOXf » 7°Tf co ID7F l/X^cofl A»Tffitt 
j^fflSilrt:^, fWI DTH I'W^ 7 h ££T 

[ 0 0 3 5 ] JSC , byt-y 7$mMW 3 T— ^»<0"C 
y 7 h * SfcfiHfrt 2> - k fc i 0 gatffifgiR*©J^Ha 
2(iElu^JBSr«aEffif8kLT?Sffl-Cl'S. ;<ofi« 
LTV^/^-y htJilX. ±ISCJ: 9JRf#UdS$B*><b 
Off AflBSEfc itfffAf&c^ POMfflEj&^TWc** . ®\ 
itf, I 10.2.190.38" #^cojIf||*j£cO 

£ffi»a»fc, jK-H" 25" C*f-fl>" smtp" T'cOfiAS: 

tfnwt. ifc. 5t^^-h" 25" ja«-t»t&a®E 

ilSrtf^kC^, tf-h" 80" CO" cgi" fc*tt4Jl 
ffi*i$r^7 McJijftt**. SfecoWc&v^ 

^Ztil^mUz^. tS*kLT. tf-K 80" <0" 
cgi " 6**lWfi A^fcKAfci k ifimt 



[0036] =Sr*3. ±IBL£*<y b7-71£*lgai 
k , ^SffifgJRm$W^M 2k, h 7 t y 7 iftBIIB 3 

k,*7b 7-71^35 nt, mmmm 2 1 

k , 2 3k, ^S^^f^SU 2 4 k , 75 

-M*g»25k. *Pl£lBa52 6 k. b7t-y7iftg 
SB 3 1 k , mmtotiM3 3 k , ;l^-;WKflr*2 1 1 
k, /^-y?.yf-gg2 1 2k, T?l/*V$£s%2 1 
3 co*ftWCllff$iil>^lf£ 3 y f a- 7M^JR 0 

ja«S^>^-K'77**Oi^k'tS. 
[0037] ^/c, rayfa-^XfAjli WW 
Wj/XTA£flJfflLTV^i§£Tft*l«r, *-A^-^' 

(ftiv^iH^WI) t*trt<ok-r*. 4 
^, r 3 yta-^a»]RO^*IE«ai*j k(i, 7 
U^T^r-fX?, 3tm^rVX7, ROM. CD- 
ROM^co^IJlg^, ayVjL-fisXrMzftmZti 
Sa-Kt -f X^^coie^acOvIkSrV^ . 

_^,. y h^CO^-y h7-^^«fSEli||^C0jifilHlll^^ 

tTrP^7AA^m$tL/t^C0-t-^'^>7 TV 

am) cOctac, -^larn^AfcfttfL-o^fc 

cOt-S-tftcok-f I). 

[00 38] i^i, ±iern/9A(i, ,rco7'p^7A 
5rfe^S#Ct&WL^3yta-^^TA*^, (5 

faconyh-jL-^^rAC^i$ixTtiv\ 
7 b^c04-yh7-7 (jftlffl) ^ISHIJI^cOilfilfll 

« (iifitt) oidfcflfflitfisaf 4«lfit^rt*jK* 

co-SPS-H^-fS^cotcot'ftoTt^v^ £^>C, 

fra Ufcate* a y f a- ^ i/^-f AC-rt-cffi&Sii 

•CV^7°o^7Ai:C0ffl^^T'^-C'#Stc0, U 

[0039] ULt, i<0fMB^SIjft»JBiHiBSr#!HL 
*»W^«{i-coH)5fi^CIS4> 

£ < 01^ U # , i ii 4> tt ft < t X'-MX' ft o T ^ co 7 
* - v -y h % JlffiCoi, vt ti i <ORR •) . 
[0040] 

co^k-ri»ffl^8^Bl#cofiA^a^S^co-aw^ 
*«y h7-^fat»$82r^y>^lg^^Cte 
SI-TSClk-C', tffSiSSrii^LaaEffifRk LT^ffl-C'^ 
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?-Vcr>Mfrtt:3yyn-)VZft : bZt~Q\ NIDSc7) 

*jtm&o. T-mmmtnm:* . sec, ftA£$*n 

[004 1 ] #S&njjfc iixtf . JJE^fcOTKifll**- 
( 1 ) ftA^EWilHR^Uffl-f 6 £ fcfc J: 9 , r ^P j 

OUZ » WHSgi 1 6 - i: X\ -M)JEMmffi&> v 5 

t7? nmzMix-fizm&t &zt 4 . 

(3) tffg£iim^l>ft«^& , 92 s t^i£J; , y\ ^ft 

(4 ) mL^mnm^m^zm^ts^tiizx 0. 

[0fflOfS#&I&BJ] 

[HI ] *Wfl(ci3tt4*? h7-?ffA&»>'XT 

[02] hi n*-rffi«jRmiijpgi5^^gPfli«^*i- 



[03 ] )V-)VJA 75 'J fcfB^SiiS^-^S^S: 
SWfifcftWIffl L fc0T'*> 6 . 

[04 ] 02 C^-f )V-)Vv4 75 'J fcttlftSfUfcd' 
-;l^H9J£^-f0-C£l>. 

[H5] 01 iz^ki-m^mm^mmmmmmz^ 

[06] 75-httHM3^ftS:7u-f^-hT' 
^L£0-t"£>l>. 

[07] H6fcj*1^75-h^^Sm«ft.£ 
7 o-f- a- - h -C* L fcETT* l> . 
[08] T9-h«MBBlfc»Wt4fcftfc«llfflLfc 

[09] *PB3!WBloaE*i*7n-f-^-hT*U 

[010] ^PKBOfcrtfc^p^^-^DBteiS* 

l-^yhV-^i^iHB, 2"-tBEfMHKIkMmi 
1> 3-b7h-y^i£^ga, 4-B£«««*>yh7- 

1 l-*«y h7-?lS1SS5, 12-KBW**vh 
7-?flBRDB, 2 1 -••flMRftMftff. 22-75- 
bn/DB. 2 3-**7EKffiffl. 24-#**t*E« 

2 5-75-MftSESL 2 6-^PKtl«. 3 1- 
h5h-y^fiaS5, 3 2-h7ty?/\'y77. 33 " 

tmrnmrnia,^ 34-gaEfli*DB, 211-/1^-^ 



[01] 



-32 



1 — 



-31 



V 



^7-CflJS 

ort _ 



11 

—12 



2— 



asmssDB 



33 



J 

34 
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[02] 



[H3] 



214 



211 



ju-jus?We» 




JU-JU 



212 



213 



(a) 



JU-JUG>»5* 

ruta '■- [pattern] actions 

pattern := protocol source spec K>| ->}dest-spec ( rratchlng-spec* l 

protocol := itcdudblany} 

source-spec ip address port-no 

ctest-spec -= ip-address port-no 

fcraddress :~ {IP Address I P Address Range I any) 

port-rvo := (NUMB B I NUMBtR_LOMJM^R_H} 

ruteset ruteset rutaname { rule * } 



ttl : TTLIQ 
itype : CMP type 
icode : CMP code 

minfrag : mWj?* V □- htf-T X 
seq : TCP *J->7V7M^ 
ack:TCPACKSS 
id : IPA,^5f-<n^3^VHDS§ 
("C-TiJ-PWI) 
dsizei^-TD-KtKX 
content :/^-.vh(Dra9 



atert : hS"?"*-^ *IC£S 
log: ^^tZ-^SDCOp-f/Ulceifi^S 
fork-ruteset: JU^Ui?!y hSt2)<08*a 
record: h^tyOSmSBcDfflttllSfrd 



[04] 



[010] 



rutesot snifing-hoet I 

[any 1 92.1 68.10.10 any -> $HOME_NET any) recordtall} 

I 

ruleset watch-home { 

[any any any -> 1 92.168.0.5 eny] rocord (hoador+20byto) 
] 

tK- ^7>*vy&&to01z&£Cl$LV7z1£&&W&?Z> 
ruleset switch -snif { 

(any any any -> $HOMELNET any purt-scarrdetected] 
fork-ruteset sntftng-host ($sourccOaddf ess) 

I 



#0/<5>-V CD 

5/— *7y* : Port-scan (source, target), 
Web-cgi (source, target), 
buffer ..overflow (source, target) 

fcjtnffiS : Shutout (source), 

AtertCtarget is intruded by source") 

^a/t5>-> (2) 

V—WZ ■ Port-scan (souroe, target), 
finger (source, target), 
tolnetfeourca target), 
bu ffer_cverflow (source, target) 

Ssll/iffiS : Shutout (source), 

Atert ("target is intruded by source") 

$art$-y (3) SttJfi;*h#5<DtftB#a 

y-t/yjL. : DDOSfOtherJHosts. target). 

Plng_Of_Death (source, target) 
%msm : Shutout (SOtherKosts). 
Shutout (source). 

Alertrtarget b intruded by source"): 
^OVT^-V (4) 

y-7yx : DOOS(CXhorHosts, DNS.SERVER). 

fatee_DN3_rep*y(sourca) 
*31ft«Ug : Shutout (OtherHosts), 

Shutout (source). 

AlertCDNS_SGRVEn Is down*) 
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[me] 



S61 



S62- 



BMW* 



< 



T 



75- h*3«OS= \ 



S64\ 



< 



YES 



tt-ezr 



/ 7^- MTr^ 7 \ no 



S68 



\ 



sag 



S69y 
NO/ 



"11 



*9fcOS 

5ft$BVersioo 
StffcPatchtevel 




OS<0&3S> Version 

Vernon, palchrtevel ©tttKta 



S610 



NO 



$612 



S61 1 



YES 



ays 
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[07] 



C 



> 









*9SOS 






) 


ft ft Version 




*3£Patchfovel 










NO 


S73 X 








NO 


S75^ 





S72 v 



YES 



S74^ 



/ 7?- bSMOt-t:^ \yes 

\ aaa eg) ? / ^ 

I NO 



c 



S76 



$37 



) 



1 



1 



figg-M 



MS 



A2Jfi*S 



P3-hft1 
0: 1080 

TARGET HOST: 192.1630.1 
KIND: "3NMP nubl'c access'; 
NETWOT^SEnvc: •: SNMP 
PORT- 161 
VERSION: ANY 



TV -h#2 
D: 1080 

TARGE LHOST: 1 92. 1 680. 1 
KJNO: 'anonymous fto'i 
NETWORK S fRVCE: FTP 
PORT 21 
VERSION: ANY 




260- 



host: 1 92.1 eaovi 

NFTVVOHK_SET?VJC& SNMP 
VERSION: ZO 
STATUS: ACTIVE 



%3 




HOST: 192.168.0.1 
Nfl NETWOfK_SERVlCE SNMP 

vq version: 20 

STATUS: ACTIVE 
NETWOfK.SEHVCE FTP 
VERSION: 3.0 
STATUS: INACTIVE 
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[09] 



S91 



#Og83W 



#n/tS>-VDB 



\ 



S93 



anna h^ecof oosft 



270 



tias»DB 




(72>»B» >J^S M 

m^i5a*EfiiWHTa3#3^ »^ 



3 fl^^4t-t>f A*-.y^-y 3 yX 
1*1 

F?-A(#:#) 5B085 AC03 AC11 AEOO 
5B089 GB02 KA17 KB04 
5K030 GA15 HB08 HC01 JA10 MB09 
MC07 MC08 
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